Manualshelf

Specifications

ManualsBrandsCayman Systems ManualsComputer equipment3220-H
11121314151617181920
SAFER – Vol. 3, Issue 6 15 © 2000 The Relay Group
KDE kscd SHELL Environmental Variable Vulnerability
Released May 16, 2000
Affects KDE 2.0 BETA, 1.2, 1.1.1, 1.1
Reference http://www.securityfocus.com/bid/1206
Problem
- Some linux distributions (S.u.S.E. 6.4 reported) ship with kscd (a CD player for the KDE Desktop)
sgid disk. kscd uses the contents of the 'SHELL' environment variable to execute a browser. This
makes it possible to obtain an sgid 'disk' shell.
- Using these privileges along with code provided in the exploit, it is possible to change attributes on
raw disks. This in turns allows an attacker to create a root shell, thus compromising the integrity of
the machine.
- Red Hat, Linux Mandrake, and Turbo Linux do not currently ship with kscd setgid 'disk'.
SAFER
- Removal of the sgid bit on the kscd binary will eliminate this vulnerability.
Matt Kruse Calendar Arbitrary Command Execution Vulnerability
Released May 16, 2000
Affects Matt Kruse Calendar Script 2.2
Reference http://www.securityfocus.com/bid/1215
Problem
- There are two components of this package, calendar-admin.pl and calendar.pl. Calendar-admin.pl
calls open() with user-input in the command string but does not parse the input for
metacharacters. It is therefore possible to execute arbitrary commands on the target host by
passing "|shell command|" as one value of the "configuration file" field.
- The shell that is spawned with the open() call will then execute those commands with the uid of
the webserver. This can result in remote access to the system for the attacker. Calendar.pl is
vulnerable to a similar attack.
SAFER
- New version of Calendar is available.
Netopia DSL Router Vulnerability
Released May 16, 2000
Affects Netopia R-series routers 4.6.2
Reference http://www.securityfocus.com/bid/1177
Problem
- All R-series platforms with firmware between 4.3.8 and 4.6.2 (inclusive) allow users who already
have access to the router to modify SNMP tables which they should not be able to access. The
router has a command-line mode that is reached by typing control-N after the user has passed the
initial login test.
- At the "#" prompt one can then do most management of the device. This includes the setting of
SNMP community strings in spite of the limitation imposed by the administrator.
SAFER
- Download version 4.6.3 of the firmware.